Oct, 2021 · 5 min read
When thinking about information security there are a number of areas to consider that are relevant for small and large law firms or Alternative Dispute Resolution service providers. The first area is referred to as data at rest. This is your client's information that is stored on file systems, in databases or in document management systems. The second area is known as inflight data or data that is in motion. For example, this could be information that you entered on your screen and then hit enter. The inflight data is the data that is traveling through the internet on its way to be stored or acted upon by your application. The next area to think about is known as attack and penetration threats. This is about bad people trying to exploit weakness or vulnerabilities in your application or computing infrastructure. These types of incidents are currently in the news including the SolarWinds attack on the US Government and the Microsoft Exchange attack that the US has implicated China in. And finally the last area to consider are non-computer related security issues.
To protect against these potential security exposures there are a number of standard things to be done by either you or your law firm's or ADR center's technology provider.
For data at rest the number one protection is data encryption. This should be done to all data residing on file servers, data bases, and document management systems as well as data locally stored on your personal computer. This way if someone gains access to the data it will be unreadable. In addition you should delete / purge data that is no longer needed. This reduces exposure and can also improve system performance and reduce costs.
For inflight data there are a couple of key approaches that are used. The first is to encrypt the data as it is moving throughout the internet. This should be provided by your software provider. The second is by using a VPN service (virtual private network). A VPN service provides an extra layer of encryption and data protection over a public network by hiding your traffic as if it were on your own private network. Make sure you select a reputable paid service.
To guard against hacker attacks your technology provider should leverage modern firewall technologies and severely limit what network traffic allowed through it. This should limit access to the computers that your client's information is resident on. A second key approach is to make sure that your legal software application vendor encrypts the URL (universal resource locator) which is the address of a web page that you place or is placed for you in your web browser (e.g., www.google.com). For example at Caseroads our URLs look like this: https://app.caseroads.com/39539f6a-6136-4ff3-a0a8-9d74e14f24b7. We use https, which stands for the Hypertext Transfer Protocol Secure, and provides data encryption over the internet and we encrypt the actual URL that follows the HTTPS. Both of these are key to securing data in our legal and ADR practice management software.
Do not forget to protect data that is outside of your computing environment:
And finally do not forget to: